As is well known, on 23 February 2023 the European Commission requested its employees and collaborators to uninstall the TikTok social network application from their business and personal electronic devices. This request was accompanied by the notice that, for those who had not uninstalled the social network by 15 March, it would no longer be possible to access other company applications such as the e-mail box or Skype services.
The decision taken by the European entity derives from a need to protect the data and information of those who work for it as well as from the need to increase IT security.
Could a private sector employer in Italy take the same decision?
In an attempt to provide an answer to this complex question, it is first of all necessary to distinguish between business and personal devices. If electronic tools, including mobile phones, are provided by the employer they are company equipment and, as such, the employer has the ability to implement a certain level of ‘control’ over them.
In fact, through the identification and adoption of internal policies defining rules for the correct use of the work tools with which its employees are equipped, the employer may introduce rules to prevent the improper use of the assigned tool and prohibit its use for personal purposes rather than prohibiting the installation of applications not connected to work activities on the device.
In the event of assignment of company tools, it is therefore highly recommended to implement internal policies and regulations that govern their correct use by assignees. In fact these aspects have across-the-board consequences related to the management of the employment relationship. Just think, for example, of topics relating to (i) employment law which also include aspects relating to disciplinary sanctions that can be adopted in the event of a breach of company rules as well as the correct exercise of control powers by the employer, (ii) the protection of personal data, both of the employees themselves and of the data they process due to their duties as well as (iii) health and safety and the risks to which the employees who use them could be exposed.
However, different conclusions can be reached on the subject of personal devices. Since these are, in fact, the employee’s own tools, the employer can limit, or even possibly exclude, the use of personal mobile phones during the workday without, however, entering into the merits of what can or cannot be installed on them.
Lastly, the use of electronic instruments, whether personal or business, exposes corporate assets to the risk of accidental loss, theft and dissemination. Therefore, employers must take care to adopt all appropriate measures to ensure sufficiently high levels of safety in full compliance with all applicable regulations in such circumstances.
On the basis of the considerations set out above, which in any case merit further investigation, it does not appear possible for an Italian employer to intervene directly on the personal electronic devices of its employees in the same way as the European Commission. However, defining, adopting and updating policies over time that regulate the use of work tools or the use of personal devices – during, for example, rest times during the working day – appears to be a fundamental measure that companies should consider in the broader definition of the strategic plan for the protection of both corporate assets and the parties that make up the reference organisation.
The Data Protection Authority in charge of the protection of personal data, with order No. 479 dated 16 November 2017, deemed unlawful – and prohibited it – the processing of personal data of employees carried out by Poste Italiane S.p.A. through a system used for the management of the waiting times at the counter. In particular, Poste Italiane deemed this system to be a work tool and consequently did not (i) involve the trade unions and (ii) did not issue any specific information to the staff. The Data Protection Authority, on the other hand, noted that: (i) the system implemented could not be deemed, pursuant to article 4, paragraph 2, of the Workers’ Charter, as “essential” for work performance, being instead one of the available tools for organising work activity, from which indirectly remote monitoring of workers’ activity could result as a consequence. Therefore, its implementation would have required a trade union agreement and the submittal to the concerned employees of adequate information on the methods and purposes of the processing made possible through the system. In addition, in the opinion of the Data Protection Authority, the basic principles of necessity, relevance and not excess in relation to the aims pursued were violated, given the continuous monitoring of work performance, the impossibility for the concerned persons to interrupt such monitoring and the existence of different measures to achieve the same corporate purposes.